b'                           OFFICE OF INSPECTOR GENERAL\n                          CORPORATION F O R NATIONAL AND\n                               COMMUNITY SERVICE\n\n\n                               OIG Audit Report Regarding\n                      Corporation for National and Community Service\n                            Evaluation of Information Systems\n                                      Pursuant to the\n                       Government Information Security Reform Act\n\n                               OIG Audit Report Number 02-35\n                                      September 16,2002\n\n\n\n\n                                          Prepared by:\n\n                                         KPMG, LLP\n                                      200 1 M Street, NW\n                                     Washington, DC 20036\n\n             Under Corporation for National and Community Service OIG Contract\n                         With the General Services Administration\n                             GSA Contract No. GS-23F-8 127H\n                            Order Number CNSIG-02-G-0007\n\n\n\nThis report was issued to Corporation management on September 16, 2002. Under the laws and\nregulations governing audit follow up, the Corporation must make final management decisions on\nthe report\'s findings and recommendations no later than March 16, 2003, and complete its corrective\nactions by September 16, 2003. Consequently, the reported findings do not necessarily represent the\nfinal resolution of the issues presented.\n\x0c                                  Office of Inspector General\n                        Corporation for National and Community Service\n                     Performance Audit of Information Systems Pursuant to\n                   the Government Information Security Reform Act (GISRA)\n\n                                                  Table of Contents\n\n\nKPMG LETTER REPORT\n\n RESULTS IN BRIEF ............................................................................................1\n\n PROJECT OBJECTIVES ...................................................................................\n                                                                                                     -2\n\n METHODOLOGY .............................................................................................. .2\n\nFY 2002 GISRA REPORT\n\n EXECUTIVE SUMMARY - RESPONSES TO OMB QUESTIONS ................1\n\n      GENERAL OVERVIEW.. ............................................................................. .2\n\n      RESPONSIBILITIES OF AGENCY HEAD .................................................. 3\n\n      RESPONSIBILITIES OF AGENCY PROGRAM OFFICIALS .................... 7\n\n      RESPONSIBILITIES OF AGENCY CHIEF INFORMATION\n      OFFICER ........................................................................................................8\n\n\n APPENDIX A - CHART 1 - GISRA OVERALL ASSESSMENT ................A-1\n    SUMMARY\n\n APPENDIX B - GISRA ASSESSMENT SUMMARY OF\n AGENCY-WIDE POLICIES AND PROCEDURES ...................................... B-1\n\n APPENDIX C - GISRA ASSESSMENT SUMMARY OF LOCAL\n AND WIDE AREA NETWORKS ..................................................................C-1\n\n APPENDIX D - GISRA ASSESSMENT SUMMARY OF\n   MOMENTUM ........................................................................................... D- 1\n\n APPENDIX E - GISRA ASSESSMENT SUMMARY OF SYSTEM FOR\n PROGRAMS, AGREEMENTS AND NATIONAL PARTICIPANTS ........... E-1\n\x0cSeptember 16,2002\n\nRussell George\nInspector General\nCorporation for National and Community Service\nWashington, DC 20525\n\nDear Mr. George:\n\nAt your request, KPMG LLP (KPMG) conducted a performance audit of the Corporation for\nNational and Community Service\'s compliance with the Government Information Security\nReform Act (GISRA) and the implementing guidance issued by the Office of Management\nand Budget (OMB) in OMB Memorandum M-02-09. GISRA focuses on the management of\neach agency\'s information security program, and directs that information security\nvulnerabilities and their remediation be explicitly considered when the agency annually\nconsiders its budget needs, priorities and allocation of funding. As required by OMB, our\nevaluation used Special Publication 800-26, Information Security Self-Assessment Guide,\nissued by the Department of Commerce, National Institute of Standards and Technology\n(NIST), in conjunction with the corollary CIO Council\'s Federal Information Technology\nSecurity Assessment Framework. The objectives of our evaluation were 1) to assess\ncompliance of the Corporation\'s management of its information security program, 2) to assess\ncompliance of the Corporation\'s operational and technical implementation of its information\nsecurity program, and 3) to test the effectiveness of the Corporation\'s operational and\ntechnical implementation of its information security program.\nResults in Brief\nThe GISRA assessment this year showed that the Corporation has made a few modest\nimprovements in its security policies and procedures documentation, but has continued to\nplace its primary emphasis on the operational aspects of maintaining information security and\non implementing e-Grants, a major new application system. OMB\'s GISRA guidance directs\nagencies to adopt the NIST Security Self-Assessment, or an equivalent tool that heavily\nemphasizes the need to document an agency\'s security policies, procedures and practices, and\nto document that agency personnel review and verify their implementation. Achieving the\nlevel of documented procedures and verification envisioned by GISRA and the NIST Security\nSelf-Assessment poses a substantial challenge for a small agency like the Corporation.\nDuring the past year, these documentation requirements did not receive as much of the\nCorporation\'s attention as its operational security concerns. However, the lack of incidents\nand the results of external penetration testing demonstrate that the Corporation\'s critical\nsystems were effectively protected.\n\x0cOffice of Inspector General\nCorporation for National and Community Service\nPage 2\n\nAn underlying condition that affects the Corporation\'s ability to comply with all GISRA\nrequirements is the consistent lack of Information Technology (IT) resources. The\nCorporation\'s small IT staff places priority on operational matters and keeping pace with\ntechnological change. It often has little or no residual capacity for improving documentation\nand procedures. That has been especially true in FY 2002, when the Corporation developed a\nnew application system to support one of its most significant missions, grants management.\nCurrent Corporation security policies generally instruct that there be compliance with GISRA,\nhowever, the accompanying procedures have not been updated to reflect the expanded\nresponsibilities of program officials and the need for routine, annual security assessments\nusing the NIST self-assessment methodology.           In early FY 2001 as part of the re-\naccreditation of its systems, the Corporation had a contractor perform a risk analysis,\nvulnerability assessment and an update to the system security plan for each of its systems.\nThat work substantially met the intent of the GISRA requirement for assessments. In mid-\nAugust 2002 a contractor was engaged to conduct a GISRA assessment based on the NIST\nmethodology.\nThe lack of any security incidents or breaches in FY 2002 indicates that at an operational\nlevel the Corporation has maintained effective security for its systems. However, it does not\nhave security consistently integrated into its planning, budgeting, documented procedures and\nroutine testing as envisioned by GISRA legislation and regulation.\n\n\n\nOur objectives were to conduct an independent evaluation of the Corporation\'s information\nsecurity program and practices, to test the effectiveness of the Corporation\'s security control\ntechniques, and to ascertain the Corporation\'s degree of compliance with the Government\nInformation Security Reform Act (GISRA) and implementing guidance from OMB.\n\n                                                                                         *-.---\n\nOMB Memorandum 02-09 requires the use of the NIST "Security Self-Assessment Guide for\nInformation Technology Systems", NIST Special Publication 800-26 (The NIST Guide) and\nthe corollary CIO Council\'s "Federal Information Technology Security Assessment\nFramework" (The Framework). Together they provide a vehicle for a consistent and effective\nmeasurement of the security status for a given asset.\nThe NIST Guide provides specific questions that identify the control criteria against which\nagency policies, procedures and security controls are evaluated.\nThe Framework is divided into five levels: Level 1 of the Framework reflects that an asset\nhas documented security policies. At Level 2, the asset also has documented procedures and\ncontrols to implement the policies. Level 3 indicates that procedures and controls have been\nimplemented. Level 4 shows that the procedures and controls are tested and reviewed. At\nLevel 5, the asset has procedures and controls that are fully integrated into a comprehensive\n\x0cOffice of Inspector General\nCorporation for National and Community Service\nPage 3\n\n\nlife cycle program and into the strategic planning and resource allocation processes of the\nagency. The evaluation of the Corporation\'s assets was performed in accordance with the\nNIST Guide methodology in the same four areas that were done in FYO1:\n\n   Momentum (the Corporation\'s financial management system)\n   SPAN (System for Programs, Agreements and National Service Participants)\n   The Corporation\'s Network\n   Agency-wide policies and procedures that are not specific to an individual system\nThe Web Based Reporting System (WBRS) that is due to be replaced in FY03 and the\ne-Grants system that is just becoming operational were not included in the evaluation.\nIn addition to the review of policies, procedures and practices, a Vulnerability and Penetration\nAssessment was performed on the Corporation\'s external and internal networks. The external\ntesting showed no weaknesses in perimeter security defenses; however, internal testing of the\nnetwork and servers uncovered a few procedural lapses that were easily remedied, but\npotentially serious if discovered by the wrong parties.\nThe results of the KPMG evaluations that were done using the NIST Guide\'s methodology\nare summarized in Appendices A through E, following the Executive Summary that contains\nresponses to OMB7squestions. (Detailed information to support each rating for each criteria\nis contained in the workpapers.) In Appendix A, Chart 1 shows the overall results for all four\nevaluations.\nWe conducted our audit in accordance with auditing standards generally accepted in the\nUnited States of America and the standards applicable to performance audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States.\n\n\n\nThis report is intended solely for the information and use of the Office of the Inspector\nGeneral, the management of the Corporation for National and Community Service, the Office\nof Management and Budget, and the United States Congress and is not intended to be and\nshould not be used by anyone other than these specified parties.\n\n\n\n\nFelipe Alonso\nPartner. KPMG LLP\n\x0c                   OFFICE OF INSPECTOR GENERAL\n          CORPORATION FOR NATIONAL AND COMMUNITY SERVICE\n\n                                  FY 2002 GISRA Report\n                                Responses to OMB Questions\n                                    Executive Summary\n\nSummary\n\n\nThe GISRA assessment this year showed that the Corporation has made a few modest\nimprovements in its security policies and procedures documentation, but has continued to\nplace its primary emphasis on the operational aspects of maintaining information security and\non implementing e-Grants, a major new application system. OMB\'s GISRA guidance directs\nagencies to adopt the NIST Security Self-Assessment, or an equivalent tool that heavily\nemphasizes the need to document an agency\'s security policies, procedures and practices, and\nto document that agency personnel review and verify their implementation. Achieving the\nlevel of documented procedures and verification envisioned by GISRA and the NIST Security\nSelf-Assessment poses a substantial challenge for a small agency like the Corporation.\nDuring the past year, these documentation requirements did not receive as much of the\nCorporation\'s attention as its operational security concerns. However, the lack of incidents\nand the results of external penetration testing demonstrate that the Corporation\'s critical\nsystems were effectively protected.\nAn underlying cause for this is probably the consistent lack of Information Technology (IT)\nresources. The Corporation\'s small IT staff places priority on operational matters and\nkeeping pace with technological change. It often has little or no residual capacity for\nimproving documentation and procedures. That has been especially true in FY 2002, when\nthe Corporation developed a new application system to support one of its most significant\nmissions, grants management.\nAlthough IT systems are relied upon for all of its major missions, CNS employees with IT\nresponsibilities comprise only about 1.5 % of the total number of employees (9 out of more\nthan 600). Contractor staff also support IT functions, but all together the IT staff is less than\n3% of the total. While it is not the only factor, the limited number of IT resources greatly\nhinders the Corporation\'s ability to comply with all GISRA requirements.\nCurrent Corporation security policies generally instruct that there be compliance with GISRA,\nhowever, the accompanying procedures have not been updated to reflect the expanded\nresponsibilities of program officials and the need for routine, annual security assessments\nusing the NIST self-assessment methodology. In early FY 2001, as part of the re-\naccreditation of its systems, the Corporation had a contractor perform a risk analysis,\nvulnerability assessment and an update to the system security plan for each of its systems.\nThat work substantially met the intent of the GISRA requirement for assessments. In mid-\nAugust 2002 a contractor was engaged to conduct a GISRA assessment using the NIST\nmethodology.\n\n\n\n\nFY 2002 GISRA Report                       Page 1                        Executive Summary\n\x0cOfiice of Inspector General\nCorporation for Natio~ialand Coinmuni ty Service\n\n\n\nThe lack of any security incidents or breaches in FY 2002 indicates that at an operational\nlevel the Corporation has maintained effective security for its systems. However, it does\nnot have security consistently integrated into planning, budgeting, documented\nprocedures and routine testing as envisioned by GISRA legislation and regulation.\nThe vulnerability analysis and penetration testing that were performed on the\nCorporation\'s external and internal networks showed no weaknesses in perimeter security\ndefenses. However, internal testing of network components and servers uncovered a few\nprocedural lapses in the installation of commercial-off-the-shelf software that were easily\nremedied, but potentially serious if discovered by the wrong parties. Once vulnerabilities\nwere identified, the Corporation acted promptly, as they usually do, to fix the problems.\nDuring the past year the Corporation has updated the documentation of its Incident\nHandling procedures, Systems Development Life Cycle (SDLC) procedures and the user\ndocumentation for the Momentum and SPAN systems. It has also made the Corporation\'s\nNetwork and Systems Security Plan an attachment to the Corporation\'s Strategic Plan.\nHowever, the Corporation continues to have weaknesses in the documentation of security\nprocedures and practices, and in documentation that there is consistent verification and\nreview of security controls and audit logs.\n\nDuring FY 2002 the Corporation also made some difficult to implement changes to its\nWeb Based Reporting System (WBRS) to improve the strength of passwords and related\nprocedures.\nThe Corporation has no policies or procedures for the review of outsourced IT functions,\nactivities, or interconnections. It relies entirely on the security provided by the other\ngovernment agency or contractor.\nThere are no documented procedures for conducting risk assessments. The risk\nassessments done in conjunction with system re-accreditations in FY 2001 contain no\nassessment of business impact. Additionally, the Continuity of Operations (COOP) Plan\nhas not been updated or tested since Y2K.\n\nA. General Overview\n    1. Total Security Funding\n\n       Per OMB guidance this information is to be provided by the Corporation.\n   2. Total Number of Programs and Systems in the Agency and Number Reviewed\n        In FYOl:\n           The IG used the complete NIST Security Self-Assessment methodology.\n           The Corporation re-accredited its systems in accordance with OMB Circular\n           A-130. The re-accreditation process covered some, but not all, of the security\n           topics contained in the NIST Security Self-Assessment Guide.\n\n\nFY 2002 GlSRA Report                      Page 2                        Executive Summary\n\x0cOl\'fice ol\' Inspector General\nCorporation fbr National and Cornn~utiityService\n\n\n       In FY 02:\n           The IG used the complete NIST Security Self-Assessment methodology.\n           The CIO used the NIST Security Self-Assessment methodology.\n\n                                                      FYOl         FY02\n       a. Total number of a ~ e n c vmom-ams.           3           3\n       b. Total number of agency systems.               4           5\n                                                   CIO 1 IG     CIO 1 IG\n       c. Total number of programs reviewed.        3      3     3     3\n       d. Total number of systems reviewed.         4      3     4     3\n\n       Programs:       AmeriCorps, Seniorcorps, Learn and Serve\n       Systems:        Momentum, SPAN, WBRS, e-Grants*, LAN\n       * e-Grants, the Corporation\'s new grants management system, is included in the\n       OIG\'s GISRA assessment for 2002 as a system, although it achieved only limited\n       operational status in June 2002 and will be tested with a very limited number of\n       grant applications prior to September 30,2002. The Corporation\'s GISRA\n       assessment does not count e-Grants as an operational system, because e-Grants\n       will not become fully operational until FY 2003. The Corporation will fully\n       assess and accredit e-Grants system during FY 2003.\n\n      Material Weakness in Policies, Procedures, or Practices\n\n\n        a. Number of material weaknesses reported.                  0           0\n        b. Number of material weaknesses repeated in FY02.          0           0\n\n\nB. Responsibilities of A ~ e n c yHead\n   1. Specific Steps by the Agency Head to set forth the Security Act\'s\n      responsibilities for the CIO and Program Officials\n       The paragraph below is an excerpt from the Corporation\'s Network and Computer\n       Security Policy #376, effective July 2001. It is the only documented policy\n       guidance to the CIO and Program Officials concerning their responsibilities for\n       carrying out the Government Information Security Reform Act (GISRA).\n            "The Government Information Security Reform Act requires\n            Federal agencies to ensure that: each major system has a security\n            plan; each responsible program official reviews that plan\n            annually; and an independent evaluation of that review is\n            conducted annually. The Corporation will use the accreditation\n            work described below as the basis of this review process every\n\n\nFY 2002 GlSRA Report                     Page 3                         Executive Summary\n\x0cO f h x o f Inspector C;cncral\nC\'orporation [or National and Community S c ~ i c e\n\n\n           three years. In the intervening two years, each responsible\n           program official, with the assistance of the staff of the Chief\n           Information Officer, will prepare a brief review of changes made\n           to the system since the past accreditationlre-accreditation. They\n           then will certify whether the security controls described in the\n           accreditatiodre-accreditation are still adequate.      The Chief\n           Information Officer will arrange for the independent review of\n           those certifications."\n       How such steps are implemented and enforced\n       Corporation management states that security responsibilities and actions of the\n       CIO and Corporation program officials are included as part of their individual\n       performance evaluations and were reviewed in this fiscal year.\n       IT Investment Decisions\n       Major operating components of the Corporation cannot make an IT investment\n       decision without the Corporation CIO\'s concurrence.\n   2. How the head of the agency ensures that the agency\'s information security\n      plan is practiced throughout the life cycle of each agency system:\n       The Corporation relies on an independent contractor to periodically conduct risk\n       assessments, to update system security plans and to evaluate security controls.\n       Upon receipt of the contractor\'s reports, the Corporation re-accredits its systems.\n       Such accreditation first occurred in 1997, and was re-performed in August 2001.\n       In FY 2002, the Corporation\'s systems were not re-accredited; however, the\n       Corporation has a contract to have that done before December 3 1,2002.\n       During the course of FY2002 the Corporation developed and put into limited\n       production, a new system that for the first time automates its grants management\n       processes, a major part of the Corporation\'s mission. Corporation management\n       has contracted to have the initial risk assessment, vulnerability analysis and\n       security plan performed later this year.\n       Specific and direct actions to oversee the performance of 1) agency program\n       officials and 2) the CIO to verify that such officials are ensuring that security\n       plans are up-to-date and that security plans are practiced throughout the\n       lifecycle of each system\n       Modifications to three of the Corporation\'s systems were made during the course\n       of implementing the new grants management system. The Corporation has a\n       contract to re-perform risk assessments, vulnerability analyses and updates to the\n       system security plans for these three systems before December 3 1, 2002.\n\n\n\n\nFY 2002 GlSRA Report                     Page 4                        Executive Summary\n\x0cOfficc ol\' Inspector Cicueral\n(\'orporation for National and Cotnlnullity Service\n\n\n   3. How the agency has integrated its information and information technology\n      security program with its critical infrastructure protection responsibilities,\n      and other security programs (e.g., continuity of operations, and physical and\n      operational security).\n       The Corporation has a small information technology staff that is responsible for\n       all information security, disaster recovery and continuity of operations matters.\n       There are no separate staff nor different officials responsible for any type of\n       security program.\n   4. Has the agency undergone a Project Matrix review?\n       The Corporation has not done a Project Matrix Review. However, The\n       Corporation has a single communications network, and considers all of its\n       systems to be critical, except those that are small desktop systems. All of the\n       Corporation\'s systems are within one network security perimeter, with only a very\n       limited number of external connections.\n   5. How the agency head ensures that the agency has documented procedures\n      for reporting security incidents and sharing information regarding common\n      vulnerabilities\n       The Computer Incident Response Guidelines, effective August 2001, document\n       the Corporation\'s procedures for identifying and responding to security incidents.\n       They define the types of incidents, the roles of organizational members (e.g., end\n       users, the Information System Security Officer (ISSO), Computer Emergency\n       Response Team, etc.), and its six stage structured approach to responding to\n       computer security incidents.         The Deputy Chief Information Officer is\n       responsible for the external reporting to the Federal Computer Incident Response\n       Center and the notification of the Corporation\'s Inspector General.\n\n       Procedures for external reporting to law enforcement authorities and to the\n       General Services Administration\'s Federal Computer Incident Response\n       Center (FedCIRC)\n\n       The guidelines state that the Deputy CIO and the ISSO will notify the Inspector\n       General if there is evidence of criminal activity. There are no specific procedures\n       contained within the guidelines related to how the Deputy CIO determines which\n       events will be reported to FedCIRC.\n       Actual performance\n\n       1 a. Total number of agency components        1 55 (field offices and services\n         including bureaus, field activities.          centers)\n         b. Number of agency components with incident Incident handling and\n         handling and response capability.             response capabilities are\n                                                       centrally supported by CNS\n\n\nFY 2002 GlSRA Report                      Page 5                       Executive Summary\n\x0cOffice of Inspector (;enera1\nCorporation fbr Natiorlal and Community Sc~vicc\n\n\n                                                          HQ OIT staff for all field\n                                                          offices and service centers\n                                                          that utilize the CNS LAN.\n       c. Number of agency components that report                       1\n       to FedCIRC.\n       d. Do the agency and its major components          Per Corporation\n           share incident information with FedCIRC in     management there have been\n           a timely manner consistent with                no incidents to report in\n           FedCIRC and OMB guidance?                      FY02.\n       e. What is the required average time to report                4 hours\n           to the agency and FedCIRC following an\n           incident?\n       f. How does the agency, including- the             Corporation management\n       programs within major components, confirm          states that patches are\n       that patches have been tested and installed in a   reviewed and tested prior to\n       timely manner?                                     installation into the\n                                                          Production environment.\n\n                                                 FYOl\n       g. By agency and individual       There were no            There were no\n       component, number of              successful intrusions.   successful intrusions.\n       incidents (e.g., successful and\n       unsuccessful network              There is no known        There is no known\n       penetrations, root or user        requirement to           requirement to\n       account compromises, denial       maintain information     maintain information\n       of service attacks, website       related to the number    related to the number\n       defacing attacks, malicious       and types of             and types of\n       code and virus, probes and        unsuccessful             unsuccessful\n       scans, password access)           attempted intrusions.    attempted intrusions.\n       reported by each component\n                                         If such a requirement    If such a requirement\n                                         were defined, the        were defined, the\n                                         Corporation has          Corporation has\n                                         stated it would          stated it would\n                                         comply.                  comply.\n        h. By agency and individual      Per Corporation          Per Corporation\n        component, number of             management, there        management, there\n        incidents reported externally to were no reportable       were no reportable\n        FedCIRC or law enforcement. incidents.                    incidents.\n\n\n\n\nFY 2002 GlSRA Report                     Page 6                        Executive S~~rnrnary\n\x0cOftice of Inspecror General\n(\'orporation for National and Community Service\n\n\n\nC.      Responsibilities of Agency Program Officials\n\n     1. Have agency program officials assessed the risk to operations and assets\n        under their control, determined the level of security appropriate to protect\n        such operations and assets, maintained an up-to-date security plan (that is\n        practiced throughout the life cycle) for each system supporting the\n        operations and assets under their control, and tested and evaluated security\n        controls and techniques?\n        The Corporation relies on an independent contractor to periodically conduct risk\n        assessments, to evaluate security controls and to update system security plans.\n        Upon receipt of the contractor\'s reports, the Corporation re-accredits its systems.\n        Such accreditation first occurred in 1997, and was re-performed in August 2001.\n        In FY 2002, the Corporation\'s systems were not re-accredited; however,\n        Corporation management has stated it intends to do so before December 3 1,2002.\n        At the end of August 2002, a contractor began assessing the Corporation\'s\n        systems, using the NIST Security Self-Assessment Guide methodology.\n\n        Actual Performance\n\n                       Corporation for National and Community Service\n\n         Total Number of Agency Systems\n                                                         FYOl     FYOl FY02        FY02\n                                                           #        ?"\'       #      %\n         a. Systems that have been assessed for risk.\n         b. Systems that have been assigned a level\n         of risk after a risk assessment has been\n         conducted (e.g., high, medium, or basic).\n         c. Systems that have an up-to-date security\n         plan.\n         d. Systems that have been authorized for\n         processing following certification and\n         accreditation.\n         e. Systems that are operating without\n         written authorization (including the absence\n         of certification and accreditation).\n         f. Systems that have the costs of their\n         security controls integrated into the life\n         cycle of the system.\n         g. Systems for which security controls have\n         been tested and evaluated in the last vear.\n         h. Systems that have a contingency plan.\n\n\nFY 2002 GlSRA Report                      Page 7                          Executive Summary\n\x0cOfXcu of Inspector General\nCorporation for National and Community Service\n\n\n        I i.   Systems for which contingency plans that 1     4    1   100%    1   4       1 80% 1\n             have been tested in past year.\n             AGENCY TOTAL                                     4        100%        4        80%\n\n            The 20% of the Corporation systems not tested in FY02 relates to the new\n            e-Grants system that achieved limited operational status in June 2002.\n            (See explanatory note on page 3 above.)\n\n     2. Contractor Provided Services or Services Provided by Another Agency\n\n                        Cor~orationfor National And Communitv Service\n        I                                                             I FYOl           I   FY02   I\n             a. Number of contractor/agency operations or facilities.    5                  5\n             b. Number of contractor/agency operations or facilities     5                  5\n                reviewed.\n\n            Contractors and other government agencies:\n               Aguirre CorporationlInterliant Inc.\n               DO1 National Business Center\n               USDA National Finance Center\n               Digex\n               Sungard\n\n\nD.          Responsibilities of Agency Chief Information Officer\n     1. Has the agency CIO:\n            Adequately maintained an agency-wide security program;\n            The lack of any security incidents or breaches in FY 2001 and FY 2002 indicates\n            that at an operational level the Corporation has maintained effective security for\n            its systems. However, it does not have security consistently integrated into\n            planning, budgeting, documented procedures and routine testing as envisioned by\n            GISRA legislation and regulation.\n            Ensured the effective implementation of the program and evaluated the\n            performance of major agency components;\n            The Corporation has no components outside the headquarters facility with any\n            significant IT capacity. The headquarters facility is small enough for the CIO to\n            daily observe its operations.\n\n\n\n\nFY 2002 GiSRA Report                          Page 8                          Executive Summary\n\x0cOt\'iicc of inspeclor General\n<\'orpot-ation for National and Cornrnunity Scrvicc\n\n\n       Ensured the training of agency employees with significant security\n       responsibilities\n       In addition to the security training that all CNS employees receive, information\n       technology (IT) technical staff receive additional specialized security training\n       according to job responsibilities and needs. They attend technical security\n       training classes and conferences, and subscribe to on-line alert sources to further\n       their knowledge of security and remain current with the rapidly evolving game of\n       cat and mouse that information security has become. In 2002, six IT security\n       specialists have attended specialized security training classes and conferences.\n\n\n        a. Other than GAO or IG audits\n        and reviews, how many agency\n        components and field activities\n        received securitv reviews?\n        b. What percentage of                 100% through           100% through\n        components and field activities     automated means.       automated means.\n        have had such reviews?\n        c. Number of agency                   Approx. 700             Approx. 700\n        employees including contractors.\n        Number and percentage of\n        agency employees including\n        contractors that received security\n        training.\n        e. Number of employees with\n        significant security\n        responsibilities.\n        f. Number of employees with\n        significant security\n        responsibilities that received\n        specialized training.\n        g. Briefly describe what types\n                                   ..      Seminars, Classes,     Seminars, Classes,\n        of security training- were         Conferences            Conferences on\n        available.                                                Security and\n                                                                  Information\n                                                                  Assurance.\n         h. Total costs for providing\n         training described in (g).\n\n       The Corporation maintains its systems as a single entity which is composed of 55\n       locations. Since the IT resources for all locations are centrally provided, audits\n       and reviews that are conducted are inclusive of all 55 locations.\n\n\n\n\nFY 2002 GlSRA Report                      Page 9                       Executive Summary\n\x0cOflice of lnspecmr General\nCorporation f\'or National and C\'ommunity Service\n\n\n\n        i. Do agency POA&Ms account for all known              The major findings from\n        agency security weaknesses including all               the IG\'s FYO1 GISRA\n        components and field activities? If no, why not?       assessment were included\n                                                               on the Corporation\'s\n                                                               single POA&M.\n        j. Has the CIO appointed a senior agency               There is one Security\n        information security official?                         Officer for the\n                                                                Corporation.\n       All system users are required to receive system security training prior to being\n       granted initial access to the Corporation\'s systems. In addition the Corporation\n       maintains a database that records yearly participation in security training and\n       disables user accounts if that training is not taken within the specified time period.\n\n   2. Contractor Provided Services or Services Provided by Another Agency\n\n\n       I a.Number of contractor                I           5          I          5\n        operations or facilities.\n        b. Number of contractor                            5                      5\n        operations or facilities reviewed.         Reviewed through       Reviewed through\n                                                   automated means.       automated means.\n\n       Contractors and other government agencies:\n          Aguirre Corporatiodhterliant Inc.\n          DO1 National Business Center\n          USDA National Finance Center\n          Digex\n          Sungard\n   3. Has the agency CIO fully integrated security into the agency\'s capital\n      planning and investment control process? Were security requirements and\n      costs reported on every FY03 capital asset plan the exhibit 53 submitted by\n      the agency to OMB.\n       The Corporation did report estimated security costs as part of the FY 2003 exhibit\n       53 submission and again as part of the FY 2004 submission. In the budget\n       submission itself only certain costs are specifically identified such as security\n       training, accreditatiodGISRA contracts and personnel. All other costs, such as\n       security software, hardware and software maintenance are included under\n       consolidated support items.\n\n       Actual performance\n                                                                      FY03           FYO4\n         a. Number of capital asset plans and justifications           4              4\n         submitted to OMB?\n\n\nFY 2002 GlSRA Report                         Page 10                        Executive Summary\n\x0cOfficc of Inspector General\nCorporation f\'or National and Community Service\n\n\n           b. Number of capital asset plans and justifications        0            0\n           submitted to OMB without requisite security\n           information and costs?\n           c. Were security costs reported for all agency            Yes          Yes\n           systems on the agency\'s exhibit 53?\n           d. Have all discrepancies been corrected?                 No           No\n           e. How many have the CIOIother appropriate official        4            4\n       /   independently validated prior to submittal to OMB?    1\n\n\n\n\nF Y 2002 GlSRA Report                     Page I I                         Executive Summary\n\x0c                       APPENDIX A\n\n\n\n\nFY 2002 GISRA Report\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n                                                                                        Chart 1      -     Overall GlSRA Assessment Summary\n\n                                              LevelI                                          Level 2                                       Level 3                                          Level 4                                         Level 5\n                                                                                                                                     Implemented Procedures                            Tested and Reviewed                               Fully Integrated\n                                       Documented Policy                          Documented Procedures                                   and Controls                               Procedures and Controls                         Procedures and Controls\n                         L\n\n\n\n\n                               ,gs 8p\n    Control Objectives       $\n                             \'          9\n        MAPTAWMEW        \'01     \'02    \'01   \'02   \'01   \'02   \'01   \'02   \'01   \'02   \'01    \'02   \'01    \'02    \'01   \'02   \'01   \'02   \'01   \'02   \'01   \'02   \'01   \'02   \'01   \'02   \'01   \'02   \'01   \'02   \'01   \'02   \'01   +02   \'01   \'02   \'01   \'02   \'01   \'02\n\n\n\n\nFY 2002 GISRA Report                                                                                              Page A-I                                                                                                                        Appendix A\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\nNote on reading Chart 1\nIn Chart 1 above, the CIO Council Framework Levels are shown as column headings\nwith the individual Corporation assets that were evaluated shown diagonally below them.\nThe NIST Guide\'s control criteria are shown as row headings. The control criteria fall\ninto three general groupings: Management Controls, Operational Controls and Technical\nControls.\nIn the main body of the charts a "Yes" means that the criteria for the specific control\nobjective at the specific Framework Level were met. A "Yes*" means that some\nweaknesses were observed, but the criteria were generally met. A "No" means the\ncriteria were not met in some significant respect. The chart has similar ratings shaded\nthe same tone. The black areas are not relevant.\nA similar chart in each of the following appendices shows the evaluation results for each\nsystem.\n\n\n\n\nFY 2002 GISRA Report                     Page A-2                               Appendix A\n\x0c                       APPENDIX B\n\n\n\n\nPY 2002 GISRA Report\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n             AGENCY-WIDE\n                       POLICIESAND PROCEDURES\n                GISRA Assessment Summary\n                         FY 2002\n\n\nThe Corporation for National and Community Service (CNS) maintains both WAN and\nLAN connections for its employees, contractors, and the classrooms of the ArneriCorps\nNational Civilian Community Corps (NCCC). There are more than 800 computers in use\non the CNS network. The Corporation\'s WAN connects LANs at the Corporation\'s\nregional service centers, NCCC campuses, and state offices with the Corporation\'s\nheadquarters. Regional service centers have local network servers. However, the\nmajority of the Corporation\'s network servers are located at Corporation headquarters in\nWashington, DC. These servers also provide email and Oracle services to the entire\nWAN. The Corporation has continuous connection to a disaster recovery site in\nHerndon, VA for immediate cut-over in case of an emergency. The Corporation\'s\nheadquarters is connected to the disaster recovery site via a dedicated T1 line.\nThe Corporation uses Momentum as its financial management system. Momentum is an\nOracle based proprietary system developed by AMS. The Web Based Reporting System\n(WBRS) is a Lotus Notes Domino program developed to help State commissions and\nother grantees provide financial and program status information to the Corporation.\nMomentum and WBRS are both managed at remote data centers. The System for\nPrograms, Agreements, and National Service Participants (SPAN) is an Oracle based\nsystem used to manage the National Service Trust and to provide AmeriCorps member\neligibility and service information.\nThe senior CNS official responsible for agency-wide information technology policies and\nprocedures is the Chief Information Officer, Dave Spevacek.\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal\nInformation Security Self-Assessment Framework. The Self-Assessment Framework\nrequires the use of the control criteria found in NIST Special Publication 800-26.\nThe remainder of this report summarizes the key strengths and weaknesses for\nmanagement, operational, and technical controls. Each weakness is classified with a\nseverity rating of major, medium or minor. Special weight was given to those areas that\nGISRA directly addresses.\n\n\n\n\nFY 2002 GISRA Report                    Page B-1\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n                                                  Chart 2   - Agency-Wide - GISRA Assessment Summary\n                        I              LevelI           I\n                                                        I\n                                                                        Level 2       I          Level 3         I         Level 4           I           Level 5                I\n                                                                                          Implemented Procedures    Tested and Reviewed              Fully Integrated\n                             Documented Policy              Documented Procedures\n                                                                                               and Controls\n                                                                                                  -   -   -        Procedures and Controls       Procedures and Controls\n                                                                                                                                                                                I\n                                                        I\n\n\n Control Ohinctivn?;        FYOI   I   FY02   I         I   FYOI   I   FY02   I       I    FYOI   IFYO21         I   FYOI IFYO21             I   FYOI   I   FY02   I\n11. Risk Manaaement\n12. Securitv Controls\n\nkt. Authorize\n\n15. Securitv plan\n\n\n\n\n13. Production 110      I   NIA    I   NIA    I                                                                                                                                 I\n\n\n\n\nFY 2002 GISRA Report                                                              Page B-2                                                                         Appendix B\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n\nStrengths: Ln accordance with OMB Circular A-130, the CNS Computer Security Policy\nrequires that risk assessments be conducted every three years or when major system\nchanges occur. In conjunction with the re-accreditation process, risk analyses were\nconducted for all of CNS\'s mission critical systems and network in FYOI. Similar re-\naccreditations began in August 2002. Corporation program officials are required to\naccept responsibility for the risks identified to mission critical systems and for the level\nof security provided to mitigate those risks. CNS has a documented security plan that\nidentifies security related activities that are to be performed, their frequency, and the\nresponsibilities for performance.\nWeakness: CNS does not have documented procedures for conducting risk assessments.\nCNS relies upon the guidance in OMB Circular A-130 (severity: medium). The most\nrecent risk assessments performed for the Corporation have not included a business\nimpact analysis (severity: medium).\n\n\n\n\nStrengths: Per the CNS computer security policy, user access is restricted based upon "a\nneed to know". Users\' access is restricted to only the information required to perform\ntheir jobs and as authorized by their supervisors. CNS requires that access request forms\nbe completed and approved by management prior to granting an employee access to the\nCNS Network or applications. Background investigations are completed for all CNS\nemployees.\nPortable fire extinguishers are located in Corporation office spaces, and an automated fire\nsuppression system is installed in the building. In the event of a power outage, the\nCorporation has an Unintermptible Power Supply that will allow for the orderly shut\ndown of the network. The CNS policy on "Safeguarding Sensitive Information and\nDocuments" provides users with guidelines for storage, disposal and handling of sensitive\ninformation and documents.\nWeakness: Risk assessments for Corporation facilities to identify threats, vulnerabilities\nand potential business impacts are not required by CNS\'s security policy. CNS relies\nupon the guidance in OMB Circular A-130 (severity: medium).\n\n\n\n\nStrengths: Access to the CNS network and applications is granted on a need-to-know\nbasis. Users are not granted emergency or temporary access. All users must adhere to\nthe CNS authentication policies and procedures. Users are required to obtain supervisory\nauthorization to obtain access to applications residing on the CNS network.\n\n\n\nFY 2002 GISRA Report                      Page B-3\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n\nWeakness: There is no policy or procedure that requires CNS users to use strong\npasswords (i.e. passwords with a combination of letters, numbers, and special characters).\nPeriodically, IT security management uses security tools to detect user accounts with\nweak passwords. Users with weak passwords are instructed to modify their passwords\nimmediately. The version of MS Windows currently on many of the workstations does\nnot provide an automated method for central enforcement of strong passwords. The\nCorporation is in the process of upgrading the MS Windows software on all workstations.\n(severity: medium)\n\n\n\n\nF Y 2002 GISRA Report                    Page B-4                               Appendix B\n\x0c                       APPENDIX C\n\n\n\n\nFY 2002 GISRA Report\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n                   LOCALAND WIDEAREANETWORKS\n                    GISRA ASSESSMENTSUMMARY\n\n\n\nThe Corporation for National Service (CNS) Network consists of a local area network\n(LAN) in the headquarters office, with a high speed Frame-Relay network provided by\nMCI for remote Regional Service Centers, State Offices, National Civilian Community\nCorps (NCCC) campuses and remote processing sites. Web servers reside on the public\nside of the Corporation Network outside the headquarters firewall, and are provided by\nDigEx. A single high speed Internet connection through the firewall is provided for all\nCorporation users. Some dial-in service is provided for remote offices through a server-\ncontrolled modem pool. The Corporation\'s website, I/http:www.cns.gov, is managed by\nDigex.\n\nThe Office of Information Technology (OIT) provides all administrative and problem\nsupport for IT equipment installed in remote offices.       OIT monitors network\nvulnerabilities, maintains an intrusion detection capability on the network, and\nperiodically performs its own penetration testing.\nMr. Tom Hanley, Deputy CIO, is the designated program official for the Corporation\nNetwork, and is responsible for overall network security.\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal\nInformation Security Self-Assessment Framework. The Self-Assessment Framework\nrequires the use of the control criteria found in NIST Special Publication 800-26.\nThe remainder of this report summarizes the key strengths and weaknesses for\nmanagement, operational, and technical controls. Each weakness is classified with a\nseverity rating of major, medium or minor. Special weight was given to those areas that\nGISRA directly addresses.\n\n\n\n\nFY 2002 GISRA Report                    Page C-1                              Appendix C\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n                                                   Chart 3    -            -\n                                                                  Network GISRA Assessment Summary\n\n                      I           Levell       I            Level 2            I\n                                                                               I           Level 3\n                                                                                              ~   ~\n                                                                                                          I         Level 4.          I              -- - -. -5\n                                                                                                                                                     I aval             1\n                                                                                   Implemented Procedures    Tested and Reviewed              Fully Integrated\n                           Documented Policy       Documented Procedures\n                                                                                        and Controls        Procedures and Controls       Procedures and Controls\n Control Obiectives       FYOl   I FY02 I          FYOI   I FY02 1                   FYOI IFYO21            FYOI IFYO21                   FYOl   1   FY02    1\n\n\n\n\nFY 2002 GISRA Report                                                   Page C-2                                                                            Appendix C\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n\nStrengths: A re-accreditation of the network was completed in February 2001 and is\nbeing performed again in FY02. Various monitoring tools have been enabled to identify\nand observe threats and vulnerabilities (i.e. vulnerability analyses and penetration testing\nare performed annually). Pro-active measures, such as required security awareness\ntraining, a virus protection program, access controls, and remote site network\nmanagement are indications of management\'s day-to-day attention to security. CNS\nimplemented a new System Development Life Cycle (SDLC) policy and methodology in\nAugust 2002.\nCNS policy requires that each critical system have a system security plan. CNS has\ndeveloped such a plan for the network. The corporation\'s security program, which\nincludes the IT Network Security Plan, is included as an appendix to the Information\nManagement Strategic Plan.\nIn mid-August 2002, the Corporation began a GISRA assessment in accordance with the\nNIST Security Self-Assessment methodology and the CIO Council\'s Federal Information\nTechnology Security Assessment Framework using contractor personnel..\nWeakness: CNS does not have documented procedures for conducting risk assessments.\nCNS relies upon the guidance in OMB Circular A-130 (severity: medium). The most\nrecent risk assessments performed for the Corporation have not included a business\nimpact analysis (severity: medium).\n\n\n\n\nStrengths: Job descriptions within OIT reflect assigned responsibilities, include\nrequirements for technical knowledge, skills and abilities, and can be used for\nperformance evaluations. Access to systems is restricted prior to the completion of the\nnew employee computer security training and supervisory approval. The computer room\nat CNS headquarters, which houses the majority of the network and server components,\nis a restricted access facility. Access is restricted to a limited number of authorized\nindividuals. Visitors must sign in and be escorted by an authorized individual. All\naccess is logged via the Kastle card key system. The computer room has an\nunintermptible power supply that protects against power fluctuations and outages. A\nDisaster Recovery Plan was last updated in August 2001. CNS tested its Disaster\nRecovery Plan in August 2001 and advised that it plans to conduct another test in\nSeptember 2002. Functional users participate in the disaster recovery testing to ensure\nthe availability and accuracy of critical business applications and data. An ongoing\nsecurity awareness program has been implemented. It includes first-time training for all\nnew employees, contractors, and users, and periodic refresher training thereafter. A new\nversion of the Computer Incident Response Guidelines was released August 2001. The\n\n\n\n\nFY 2002 GISRA Report                      Page C-3                               Appendix C\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\nCNS Computer Incident Response Guidelines address the conditions and procedures for\ninvolving the CNS Inspector General (IG) or external federal authorities.\nWeakness: Risk assessments for Corporation facilities to identify threats, vulnerabilities\nand potential business impacts are not required by CNS\'s security policy. CNS relies\nupon the guidance in OMB Circular A-130 (severity: medium). The Disaster Recovery\nPlan needs to be updated to reflect changes in the LAN environment (severity: medium).\n\n\n\n\nStrengths: All personnel who are given access to the system, including those needing it\nfor a limited duration, must follow the standard procedures before being granted access.\nLogical access controls are in place for the local and remote network. In addition to\ncontrolling access to the network by users, CNS controls network access by port based on\nthe MAC address of the PC or server. The Network Security Plan describes numerous\nchecks that must be made of a variety of security controls, the frequency of the checks\nand who is responsible for making them. Review of various audit logs is included in the\nlist.\nWeakness: There is no policy or procedure that requires CNS users to use "strong"\npasswords (i.e. passwords with a combination of letters, numbers, and special characters).\nPeriodically, IT security management uses security tools to detect user accounts with\n"weak" passwords. Users with "weak" passwords are instructed to modify their\npasswords immediately. The version of MS Windows currently on many of the\nworkstations does not provide an automated method for central enforcement of strong\npasswords. However, the Corporation is in the process of upgrading the MS Windows\nsoftware on all workstations (severity: medium).\nDuring our penetration testing, procedures and policies that dictate how Administrator\naccounts are to be set-up were not followed. A server \'Administrator\' account with a\nweak password was detected and compromised. In addition, some database accounts still\nhad the software vendor\'s default passwords.         These were also detected and\ncompromised. When advised of these situations, the Corporation took prompt action to\nremedy them (severity: medium).\n\n\n\n\nFY 2002 GZSRA Report                     Page C-4                              Appendix C\n\x0c                       APPENDIX D\n\n\n\n\nFY 2002 GISRA Report\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n                              MOMENTUM\n                       GISRA ASSESSMENTSUMMARY\n                               FY 2002\n\n\nMomentum is the Corporation\'s financial management system. It was implemented in\nSeptember 1999, and is comprised of 10 modules: Accounts Payable, Accounts\nReceivable, Automated Disbursements, Budget Execution, Cost Allocation, General\nLedger, General System, Planning, Project Cost Accounting and Purchasing. The\nMomentum computers are located at the Department of Interior\'s National Business\nCenter, but Corporation users have access Momentum as if it were a local system.\nMomentum was developed by American Management Systems (AMS), who remains\nresponsible for development, maintenance and configuration control of the application.\nMomentum hardware is operated for CNS at the Department of Interior (DOI) National\nBusiness Center (NBC) in Reston, Virginia. CNS has a Service Level Agreement with\nNBC. NBC in turn has a contract with AMS for maintenance of the Momentum software.\nThe Momentum system is connected to the CNS LAN by a dedicated T-1 line.\nData in the Momentum application is critical to CNS financial management. Momentum\nprovides both comprehensive financial planning capabilities and a means to record\nfinancial transactions. The system provides both detailed and summarized financial\ninformation in a multitude of easily understandable formats to enable users to evaluate\nand analyze the financial activities.\nThe "senior program official" in CNS responsible for Momentum is Gerry Yetter,\nDirector of Accounting. Wynn Cooper, Financial Systems Team Lead, assists Gerry\nYetter.\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal\nInformation Security Self-Assessment Framework. The Self-Assessment Framework\nrequires the use of the control criteria found in NIST Special Publication 800-26.\nThe remainder of this report summarizes the key strengths and weaknesses for\nmanagement, operational, and technical controls. Each weakness is classified with a\nseverity rating of major, medium or minor. Special weight was given to those areas that\nGISRA directly addresses..\n\n\n\n\nFY 2002 GISRA Report                   Page D-1                             Appendix D\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n                                        Chart 4    - Momentum - GISRA Assessment Summary\n                            Level 1              Level 2                  Level 3                   Level 4                    Level 5\n                                                                   Implemented Procedures    Tested and Reviewed          Fully Integrated\n                  Documented Policy   Documented Procedures             and Controls        Procedures and Controls   Procedures and Controls\n\n\n\n\nFY 2002 GISRA Report                                          Page 0 - 2                                                             Appendix D\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n\nStrengths: As part of the re-accreditation of Momentum, data sensitivity and integrity\nwere considered. CNS maintains a system security plan for the Momentum application,\nconsistent with the CNS Computer Security Policy. The security plan was developed in\naccordance with NIST 800-1 8 guidance. Physical safeguards have been established that\nare commensurate with the risks of physical damage or access. Security controls for\nCNS\'s mission critical systems, which include Momentum, have been reviewed every\nthree years in accordance with OMB A-130 re-accreditation requirements. Procedures\nfor reporting security incidents and weaknesses are in place and linked to the risk\nmanagement process.\nWeakness: CNS does not have documented procedures for conducting risk assessments.\nCNS relies upon the guidance in OMB Circular A-130 (severity: medium). The most\nrecent risk assessments performed for the Corporation have not included a business\nimpact analysis (severity: medium). There is no documented procedure for the periodic\nreview of the operating system\'s configuration (severity: medium). There is no\ndocumented procedure for determining the sensitivity of the system (severity: minor).\nThere is no documented procedure for developing and approving a system security plan\n(severity: minor).\n\n\n\n\nStrengths: CNS\'s computer security policy is based on the concept of least privilege,\nwhich requires that users only have access to that information that they require to perform\ntheir job function. Access is limited to individuals at CNS through the use of\nidentification badges and key cards. Data integrity and validation controls are used to\nprovide assurance that the information has not been altered and the system functions as\nintended. Controls have been implemented to mitigate other disasters such as floods,\nearthquakes or fire. CNS has updated and tested its disaster recovery plan in August\n2001. A Service Level Agreement exists with the National Business Center (NBC) that\ncalls for NBC to provide monitoring, maintenance and tracking of configuration changes\nfor the hardware, system software, database software and telecommunications.\nCorporation employees and contractors are required to complete annual security\nawareness training. Training requires all CNS IT users to acknowledge rules and\nguidelines by which they must abide. CNS has documented and updated Computer\nIncident Response Guidelines specifying internal reporting procedures for detected\nsecurity incidents.\nWeakness: The Business Continuity and Contingency plan dated August 2001 was\nprepared initially for Y2K. No significant changes have been made to it. However, the\nCorporation does conduct annual tests of its Disaster Recovery Plan. The next testing is\nscheduled for September 2002 (severity: medium). No documented procedure exists for\nmanagement review of persons granted physical access to sensitive facilities. However,\n\n\nFY 2002 GISRA Report                     Page 0 - 3                             Appendix D\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\nthe Deputy CIO does review the names on the computer center sign-in roster to ensure\nthat only authorized persons have been granted access (severity: medium). No\ndocumented policy and procedure exists to ensure that access to all program libraries is\nrestricted and controlled (severity: medium). No documented analysis has been\ncompleted to assess risks (severity: medium). CNS does not have documented\nprocedures for personnel security controls that meet the NIST criteria (severity: medium).\n\n\n\n\nStrengths: All CNS users are required to identify and authenticate themselves by\nproviding a valid username and password at the network level. CNS users who have\nbeen granted access to Momentum are required to authenticate to the application by\nproviding an additional user name and password. All Momentum users are required to\nundergo annual Information Systems Security Awareness Training that educates them on\nthe importance of security. Every transaction processed in Momentum is written to the\ntransaction journal. Because all transactions are recorded in a journal, there is a\ncomprehensive audit trail of all transaction-based activity in the system.\nWeakness: No documented policies exist to limit the number of invalid access attempts\n(severity: minor). Although data owners do review access authorizations, there is no\npolicy that requires the data owners to periodically review access authorization (severity:\nminor). Some CNS user workstations do not automatically log off users and invoke\nscreensavers after a period of inactivity of a defined length, because the version of MS\nWindows currently on these systems is not capable of implementing the automatic logout\nfeature. The Corporation is in the process of upgrading all workstations to a newer\nversion of MS Windows (severity: minor).\n\n\n\n\nFY 2002 GISRA Report                     Page 0 - 4                             Appendix D\n\x0c                       APPENDIX E\n\n\n\n\nFY 2002 GISRA Report\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\nSYSTEMFOR PROGRAMS, AGREEMENTS AND NATIONAL SERVICE\n               PARTICIPANTS (SPAN)\n            GISRA ASSESSMENT  SUMMARY\n                                      FY 2002\n\n\nThe SPAN application was implemented in 1995 to process education award payments\nfor the ArneriCorps National Service Program. The VISTA Management System (VMS),\nintegrated into SPAN in March 2001, tracks the status of and makes payments to\nparticipants of the Volunteers in Service to America (VISTA) program. Three dedicated\nWindows NT servers within the Corporation Network provide separate production,\ndevelopment, and testing platforms for SPAN. SPAN is based on an Oracle database\nmanagement system, and was developed using Oracle application development tools,\nOracle Forms for data entry screens, Crystal Report Writer and Oracle Reports for report\ngeneration. SQL SECURE Password Manager by BrainTree provides authentication and\naccess security to SPAN.\nSPAN interfaces with Momentum, WBRS, and the Department of the Treasury. Weekly\nfile uploads to Momentum update Corporation accounting data. SPAN uses electronic\nfile transfers to receive enrollment data from WBRS, and to provide updated financial\ninformation to WBRS. For the Treasury interface, a SPAN export function creates a\npayment file, which is electronically transmitted to Treasury from a stand-alone\nworkstation using Treasury software. There is no direct connection between SPAN and\nTreasury\'s financial management system.\nThe senior Corporation program official responsible for SPAN is Charlene Dunn,\nDirector of Trust Management.\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal\nInformation Security Self-Assessment Framework. The Self-Assessment Framework\nrequires the use of the control criteria found in NIST Special Publication 800-26.\nThe remainder of this report summarizes the key strengths and weaknesses for\nmanagement, operational and technical controls. Each weakness is classified with a\nseverity rating of major, medium or minor. Special weight was given to those areas that\nGISAR directly addresses.\n\n\n\n\nFY 2002 GISRA Report                    Page E-1                             Appendix E\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n                                           Chart 5     - SPAN - GlSRA Assessment Summary\n                            Level 1               Level 2                      Level 3                   Level 4                      Level 5\n                                                                        Implemented Procedures    Tested and Reviewed          Fully lntegrated\n                       Documented Policy   Documented Procedures             and Controls        Procedures and Controls   Procedures and Controls\n\n\n\n\nFY 2002 GZSRA Report                                               Page E-2                                                         Appendix E\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n\nStrengths: A risk analysis was conducted as part of the SPAN re-accreditation process,\nand is included as part of the accreditation document. The re-accreditation was\ncompleted in June 2001. CNS has developed and implemented a security plan for the\nSPAN application, in accordance with the CNS Computer Security Policy. The SPAN\nSecurity Plan states that the CNS System Development Life Cycle (SDLC) process was\nfollowed for the implementation, development, and operationlmaintenance phase of the\nSPAN life cycle. The SPAN Security Plan also states that the IT Security Representative\nwas heavily involved with the recent integration of VMS into SPAN.\nWeaknesses:       CNS does not have documented procedures for conducting risk\nassessments. CNS relies upon the guidance in OMB Circular A-130 (severity: medium).\nThe most recent risk assessments performed for the Corporation have not included a\nbusiness impact analysis (severity: medium). There is no documented procedure for\nperiodically reviewing the operating system\'s configuration (severity: medium). There\nare no documented policies and procedures for ensuring electronic records are properly\ndisposed or archived. (severity: minor).\n\n\n\n\nStrengths: CNS computer security policy is based on the concept of least privilege, which\nrequires that users only be granted access to that information that they require to perform\ntheir job function. Access is limited to individuals at CNS through the use of\nidentification badges and key cards. Data integrity and validation controls are used to\nprovide assurance that the information has not been altered and the SPAN system\nfunctions as intended. Controls have been implemented to mitigate other disasters such\nas floods, earthquakes or fire. CNS updated and tested its disaster recovery plan in\nAugust 2001. Corporation employees and contractors are required to complete annual\nsecurity awareness training. Training requires all CNS IT users to acknowledge rules and\nguidelines by which they must abide. CNS has documented and updated Computer\nIncident Response Guidelines specifying internal reporting procedures for detected\nsecurity incidents.\nWeaknesses: The Business Continuity and Contingency plan dated August 2001 was\nprepared initially for Y2K. No significant changes have been made to it. However, the\nCorporation does conduct annual tests of its Disaster Recovery Plan. The next testing is\nscheduled for September 2002 (severity: medium). There are no documented policies\nand procedures regarding how data is shared between interconnected systems (severity:\nmedium). There is no documented analysis completed to access risks (severity: medium).\nCNS has incomplete documented procedures for personnel security controls (severity:\nmedium).\n\n\n\n\nFY 2002 GZSRA Report                     Page E-3                               Appendix E\n\x0cOffice of Inspector General\nCorporation for National and Community Service\n\n\n\n\nStrengths: CNS users who have been granted access to SPAN are required to authenticate\nto the application by providing an additional user name and password in addition to their\nnetwork username and password. All SPAN users are required to undergo annual\nInformation Systems Security Awareness Training that educates users on the importance\nof security. Because every transaction processed in SPAN is written to a journal, there is\na comprehensive audit trail of all transaction-based activity in the system.\nWeaknesses: No documented policies exist to limit the number of invalid access\nattempts (severity: minor). Although data owners do review access authorizations, there\nis no policy that requires the data owners to periodically review access authorization\n(severity: minor). Some CNS user workstations do not automatically log off users and\ninvoke screensavers after a period of inactivity of a defined length, because the version of\nMS Windows currently on these systems is not capable of implementing the automatic\nlogout feature. The Corporation is in the process of upgrading all workstations to a\nnewer version of MS Windows (severity: minor).\n\n\n\n\nFY 2002 CISRA Report                      Page E-4                               Appendix E\n\x0c'